Overview

overview

10

Static

static

3

86b9d17c28...7e.exe

windows7-x64

10

86b9d17c28...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e.exe

  • Size

    1.8MB

  • MD5

    130b282dc6eb40ad9df048de58ac4e96

  • SHA1

    2195152ae0ed7102147302131e3c4069df145892

  • SHA256

    86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e

  • SHA512

    f3106a723038e069c23730b2613c0da43185857d5b2c3b8bc47f637910a961f9fded496ba0181b32499ca82cf1f29695401289d1f5417de33afb839652db6ce1

  • SSDEEP

    49152:VTRL60dYPWc+u/DRvkEmtk8Ziitqaxu+W6av6I:VTRW+s+uVvbKTtqejWdv6

Score
10/10
amadeycryptbotlummaredlinestealc1176f29c9aa5default_valencigadomafed3aatg cloud @rlreborn admin @fatherofcarderscredential_accessdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

Extracted

Family

stealc

Botnet

default_valenciga

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Extracted

Family

stealc

Botnet

doma

C2

http://185.215.113.37

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes
  • install_dir

    417fd29867

  • install_file

    ednfoki.exe

  • strings_key

    183201dc3defc4394182b4bff63c4065

  • url_paths

    /CoreOPT/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Detects CryptBot payload 1 IoCs

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 32 IoCs
  • Identifies Wine through registry keys 2 TTPs 13 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e.exe
    "C:\Users\Admin\AppData\Local\Temp\86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1220
          4⤵
          • Program crash
          PID:1640
      • C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
        "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Users\Admin\AppData\Roaming\tW3lXIBtNw.exe
            "C:\Users\Admin\AppData\Roaming\tW3lXIBtNw.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1224
          • C:\Users\Admin\AppData\Roaming\pDn6cvCk8v.exe
            "C:\Users\Admin\AppData\Roaming\pDn6cvCk8v.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 252
          4⤵
          • Program crash
          PID:4344
      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4420
      • C:\Users\Admin\AppData\Local\Temp\1000354001\e3712cfedd.exe
        "C:\Users\Admin\AppData\Local\Temp\1000354001\e3712cfedd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4836
      • C:\Users\Admin\AppData\Local\Temp\1000355001\dfc22232a4.exe
        "C:\Users\Admin\AppData\Local\Temp\1000355001\dfc22232a4.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4588
          • C:\Users\Admin\AppData\Local\Temp\1000349001\dd935631ba.exe
            "C:\Users\Admin\AppData\Local\Temp\1000349001\dd935631ba.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2000
          • C:\Users\Admin\1000350002\a53e864ea4.exe
            "C:\Users\Admin\1000350002\a53e864ea4.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4448
          • C:\Users\Admin\AppData\Local\Temp\1000357001\52bfcbe041.exe
            "C:\Users\Admin\AppData\Local\Temp\1000357001\52bfcbe041.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Windows security modification
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4280
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
              PID:2044
            • C:\Users\Admin\AppData\Local\Temp\1000401001\num.exe
              "C:\Users\Admin\AppData\Local\Temp\1000401001\num.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4316
        • C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
          "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:4428
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:1944
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                4⤵
                  PID:4488
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4332
              • C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
                "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3896
                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                  "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4428
                  • C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1048
                    • C:\Users\Admin\AppData\Local\Temp\is-JRF6D.tmp\2927.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-JRF6D.tmp\2927.tmp" /SL5="$701E0,922170,832512,C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"
                      6⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2044
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G8716.tmp\my.bat""
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:224
                  • C:\Users\Admin\AppData\Local\Temp\1000092001\JavUmar1.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000092001\JavUmar1.exe"
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    PID:5304
                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                      6⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:5532
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1216
              • C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
                "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4324
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c start context.exe
                  4⤵
                    PID:5124
                    • C:\Users\Admin\AppData\Local\Temp\context.exe
                      context.exe
                      5⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5180
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:5776
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
                          7⤵
                          • System Location Discovery: System Language Discovery
                          PID:5880
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im "InstallUtil.exe"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5928
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 1
                            8⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:5992
                • C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
                  "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
                  3⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2336
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:5396
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:5504
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im "InstallUtil.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5552
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 1
                        6⤵
                        • System Location Discovery: System Language Discovery
                        • Delays execution with timeout.exe
                        PID:5608
                • C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe
                  "C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"
                  3⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4240
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA0ADIANAAwADAAMQBcAGEAcABwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAANAAyADQAMAAwADEAXABhAHAAcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABzAHEAZABxAHMAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHMAcQBkAHEAcwBkAC4AZQB4AGUA
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5432
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5824
            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:4264
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 552 -ip 552
              1⤵
                PID:2272
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 4676
                1⤵
                  PID:3132
                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                  C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                  1⤵
                  • Executes dropped EXE
                  PID:6008
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:6012
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:6048
                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                  C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                  1⤵
                  • Executes dropped EXE
                  PID:5484
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4080
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4552
                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                  C:\Users\Admin\AppData\Local\Temp\/service123.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2848

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Impair Defenses

                2
                T1562

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                4
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Virtualization/Sandbox Evasion

                2
                T1497

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                4
                T1552

                Credentials In Files

                4
                T1552.001

                Discovery

                Query Registry

                6
                T1012

                System Information Discovery

                4
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Virtualization/Sandbox Evasion

                2
                T1497

                Lateral Movement

                Collection

                Data from Local System

                3
                T1005

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\mozglue.dll
                  Filesize

                  593KB

                  MD5

                  c8fd9be83bc728cc04beffafc2907fe9

                  SHA1

                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                  SHA256

                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                  SHA512

                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  Download Submit

                • C:\ProgramData\nss3.dll
                  Filesize

                  2.0MB

                  MD5

                  1cc453cdf74f31e4d913ff9c10acdde2

                  SHA1

                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                  SHA256

                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                  SHA512

                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                  Filesize

                  328B

                  MD5

                  2657cefde602deb6bf9d90fab4454a6b

                  SHA1

                  a38f5f033d7821c722f7c82f5df97649d4e81057

                  SHA256

                  3845cd22f6d247c4b2a89ba6eefcc26f9f7729c4f09207ea0c8928d45b68d904

                  SHA512

                  137dee99d65d31800d282ef5d471c938bb1b2191518fa0006ef1c8dd9b59bb52952b0a0d5905b2493a21863e8cca725e0e1fd43878b74033cac788cbda2cb6be

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
                  Filesize

                  2.5MB

                  MD5

                  eab5dd4b0d7f9e18d26862b312600f93

                  SHA1

                  9278a96cff76785646971f8252d70ab14328ee24

                  SHA256

                  631d8bebaa32e939ece2d304bf739987941cbb4a0e4a1326074e355e508e0c0c

                  SHA512

                  9efcbdc853b81b0a378e8ea8cf5779edf614b8534970927a68b91be1d6958ea11a63ddd47f132fc6956b53bbe53bda2d0cc143f7b6298f162f8a82e64b75248e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
                  Filesize

                  1.4MB

                  MD5

                  e6d27b60afe69ac02b1eaec864c882ae

                  SHA1

                  a72b881867b7eaa9187398bd0e9e144af02ffff4

                  SHA256

                  aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

                  SHA512

                  4f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
                  Filesize

                  307KB

                  MD5

                  68a99cf42959dc6406af26e91d39f523

                  SHA1

                  f11db933a83400136dc992820f485e0b73f1b933

                  SHA256

                  c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

                  SHA512

                  7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe
                  Filesize

                  1.7MB

                  MD5

                  f734d3c885625d361b085cfc8af1fc25

                  SHA1

                  63ebbfac1ae03d7db04bf55523f07f3f4aa2b534

                  SHA256

                  1fc070d52f6c24eb6e83d5e9474d63868d47509a8aea3687782ebf61ebe97cfd

                  SHA512

                  e798e083f0f7c8d51988d105cdd1ca388befbd68f9045c980b689eb183ce99e512821f9dbc48cdfc9db03f507e61c26113279f7e3a5c150eee1dad09756e7024

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000092001\JavUmar1.exe
                  Filesize

                  6.3MB

                  MD5

                  5e8fec7f2f2102b5dcd44c061f3197fc

                  SHA1

                  3d8f67a861dd144b6dba216db88012ee62aed4a6

                  SHA256

                  4caa926d2422c584f16a4373daea24880fbd08a7baf3c9214421281965f89ec6

                  SHA512

                  0aafde8e576e305c9d8a61af774235ff32e769270971e66b9cc6cce9ac4dccf1f4434cf1f63b0801beb8a271877d89ccd3b58e6c899d9fae17a6e9c19798ca08

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000349001\dd935631ba.exe
                  Filesize

                  2.9MB

                  MD5

                  2ae9bdb4a9d94e457aa98e71788e4e65

                  SHA1

                  5a81475c01d941eb8afdb12600773681ec080944

                  SHA256

                  f5fd76fac1a61dfb2d0a9bea6a43987e283fce4d6874cc11f251a051c6c43180

                  SHA512

                  b131697f3fd78cb098a906098240c2d2fefd651ea10b12b3c70cf312b3c7f393c17ac7376ef6f657d3151b663b6c65254a3803b44e437757bc20bd95ea34d916

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000354001\e3712cfedd.exe
                  Filesize

                  1.8MB

                  MD5

                  93f78f9420870439cade9279355e25b6

                  SHA1

                  c5adf61d97e9bac8a9aa6909570ec975451a3806

                  SHA256

                  aedf214437c454ffab2d52c478772288f189f639c92b5b842231bc4e37d1c52c

                  SHA512

                  b5ac17cc28553bc2c60e4ebea153fab725315254195d5d1deaac73799e1321f96f864249dc6b7b1f04533408a566f0d946e8a3d5a6b2c069bb99ed7380005d75

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000355001\dfc22232a4.exe
                  Filesize

                  1.8MB

                  MD5

                  2577f76ee7b1bdab79b771de155a109f

                  SHA1

                  2edac4450eee712664c68a6e372c9e112ca340e2

                  SHA256

                  e236eb3995e8f59f5c7a12e0c165577ebf26f335663dab073b4529302774e44d

                  SHA512

                  1ea84181e03c3c492873ca08b6ff059d4c284a2427208a349bffa811ba4aa6f82bf9066b21dde404b63dea934602f11ed5cb0916b1e615ca4e64373a7679a797

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000357001\52bfcbe041.exe
                  Filesize

                  1.6MB

                  MD5

                  f49809c36739335bfbfa90764ed626ab

                  SHA1

                  a146b99eb3c99504fef670f09a1f68b9e4b8732c

                  SHA256

                  1d5e64379c405f10bd5ffc480945b1b2c895d2520d7f6118ea8f1aa51abe6ac7

                  SHA512

                  9f54e50455c9afb885e72253cf8629f096ec9f0d5edcc8b8300db42cadec3c89133223a68059b6ab654e5f4b1208bd8f7aa01e51afad56bfea616286497d2f61

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
                  Filesize

                  314KB

                  MD5

                  ff5afed0a8b802d74af1c1422c720446

                  SHA1

                  7135acfa641a873cb0c4c37afc49266bfeec91d8

                  SHA256

                  17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

                  SHA512

                  11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000401001\num.exe
                  Filesize

                  307KB

                  MD5

                  791fcee57312d4a20cc86ae1cea8dfc4

                  SHA1

                  04a88c60ae1539a63411fe4765e9b931e8d2d992

                  SHA256

                  27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

                  SHA512

                  2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
                  Filesize

                  416KB

                  MD5

                  f5d7b79ee6b6da6b50e536030bcc3b59

                  SHA1

                  751b555a8eede96d55395290f60adc43b28ba5e2

                  SHA256

                  2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                  SHA512

                  532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
                  Filesize

                  6KB

                  MD5

                  c042782226565f89ce3954489075e516

                  SHA1

                  256dd5ba42837a33c7aa6cb71cef33d5617117ee

                  SHA256

                  a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

                  SHA512

                  9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
                  Filesize

                  1.1MB

                  MD5

                  ed9393d5765529c845c623e35c1b1a34

                  SHA1

                  d3eca07f5ce0df847070d2d7fe5253067f624285

                  SHA256

                  53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

                  SHA512

                  565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe
                  Filesize

                  20.4MB

                  MD5

                  7172ee8de6490094d4a5112eceaaaa90

                  SHA1

                  46a82d7628f31d91fb883056dfbd4d15d26bbd77

                  SHA256

                  11cabbb368deb30bc1f45feb6509b222c2b360707ff31c8b1e056c617477f28e

                  SHA512

                  91e2da0921f8d2596ac2e99e91b108e4d7dba6a97800c775bc9d9b4411fae3b7f0d811f48b107054664aff69c7cdd2c052220960cec9c525470f7266de5780d8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\227495264221
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\227495264221
                  Filesize

                  74KB

                  MD5

                  488d36afb7a776c3eec00dbfcdc9df8c

                  SHA1

                  da13676c69ffdf5be546d97cc4fab2d9bd37a520

                  SHA256

                  c25522a81c12228ae652320981d4d4370e0b90b5dc6c6b5211f38417e83c3ebe

                  SHA512

                  546587745e6b6a3fd721f1f5fc877d6a35075414f5aa21b0f0d069dfeb48fcc602c1d192bc4a2b40353ed54a3b852ec75eb1c683c8d58261cfc7c8bbbd49db56

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  Filesize

                  1.8MB

                  MD5

                  130b282dc6eb40ad9df048de58ac4e96

                  SHA1

                  2195152ae0ed7102147302131e3c4069df145892

                  SHA256

                  86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e

                  SHA512

                  f3106a723038e069c23730b2613c0da43185857d5b2c3b8bc47f637910a961f9fded496ba0181b32499ca82cf1f29695401289d1f5417de33afb839652db6ce1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpC12D.tmp
                  Filesize

                  2KB

                  MD5

                  1420d30f964eac2c85b2ccfe968eebce

                  SHA1

                  bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                  SHA256

                  f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                  SHA512

                  6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woltxi3m.yig.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-G8716.tmp\idp.dll
                  Filesize

                  232KB

                  MD5

                  55c310c0319260d798757557ab3bf636

                  SHA1

                  0892eb7ed31d8bb20a56c6835990749011a2d8de

                  SHA256

                  54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

                  SHA512

                  e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-JRF6D.tmp\2927.tmp
                  Filesize

                  3.1MB

                  MD5

                  bba584f217419c351e6ae092c664271d

                  SHA1

                  972ba560cdff81c57ce852687e9b3e85542d2c61

                  SHA256

                  b6e4f561c0b627441f052fc40bf2dcab04c4320da15205f24e64b40d55fa4151

                  SHA512

                  04fd9a7fa34fc8056d3ac8006cdccbd98c42389424c5301981d3223645eb9792ac23d8202fc9948e97bd02832d0635607586783ccd53e2643ad43175acccf6e1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url
                  Filesize

                  70B

                  MD5

                  1c5c0d2105718982915d88e1e34b7c24

                  SHA1

                  ecb11df5274a3a37c81fc19b95ec316d39bb6f03

                  SHA256

                  b5fd05a1a23d90dee32a1f61158a1e0859fde6882b289267c90845bb995b0c09

                  SHA512

                  9e1f86ca561c034078acbce22e6b3b2dc938a883f4897167c96ad7c61f28d30075d66557335825c18a00f96467fbd1dee067bb756388ba60b21443ba964ba331

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\pDn6cvCk8v.exe
                  Filesize

                  393KB

                  MD5

                  7d7366ab79d6d3d8d83d13a8b30de999

                  SHA1

                  75c6c49a6701d254c3ce184054a4a01329c1a6f3

                  SHA256

                  3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

                  SHA512

                  64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\tW3lXIBtNw.exe
                  Filesize

                  602KB

                  MD5

                  e4fc58d334930a9d6572c344e5129f6b

                  SHA1

                  d38fbd0c4c86eee14722f40cc607e2128c01b00f

                  SHA256

                  973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

                  SHA512

                  a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

                  Download Submit

                • memory/232-0-0x0000000000820000-0x0000000000CE0000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/232-17-0x0000000000820000-0x0000000000CE0000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/232-4-0x0000000000820000-0x0000000000CE0000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/232-3-0x0000000000820000-0x0000000000CE0000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/232-2-0x0000000000821000-0x000000000084F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/232-1-0x00000000777A4000-0x00000000777A6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/552-50-0x0000000000C00000-0x0000000000FDD000-memory.dmp

                  Filesize

                  3.9MB

                  Download

                • memory/1048-391-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                  Download

                • memory/1048-424-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                  Download

                • memory/1224-131-0x000000001BE60000-0x000000001BE9C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/1224-189-0x000000001E8B0000-0x000000001EA72000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/1224-127-0x000000001BBF0000-0x000000001BC02000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1224-122-0x000000001D360000-0x000000001D46A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1224-103-0x00000000000F0000-0x000000000018C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/1224-154-0x000000001DE30000-0x000000001DEA6000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1224-155-0x000000001ADA0000-0x000000001ADBE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/1648-20-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-53-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-539-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-18-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-19-0x0000000000C91000-0x0000000000CBF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1648-30-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-31-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-542-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-22-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-47-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-237-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-425-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-21-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1648-495-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2000-446-0x0000000000DA0000-0x00000000010BA000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2000-407-0x0000000000DA0000-0x00000000010BA000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2044-422-0x0000000000400000-0x000000000071C000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2336-356-0x000000000B9A0000-0x000000000BA24000-memory.dmp

                  Filesize

                  528KB

                  Download

                • memory/2336-353-0x0000000000E00000-0x0000000000F18000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2460-233-0x00000000055F0000-0x0000000005B94000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2460-232-0x0000000000710000-0x0000000000764000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/2636-104-0x0000000000450000-0x00000000004B8000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2636-191-0x000000001F940000-0x000000001FE68000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/4084-69-0x0000000000400000-0x0000000000531000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4084-100-0x0000000000400000-0x0000000000531000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4084-71-0x0000000000400000-0x0000000000531000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4084-70-0x0000000000400000-0x0000000000531000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4144-188-0x0000000000480000-0x000000000092C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4144-227-0x0000000000480000-0x000000000092C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4240-586-0x0000000007D80000-0x0000000007EAC000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4240-584-0x0000000000C60000-0x00000000020C6000-memory.dmp

                  Filesize

                  20.4MB

                  Download

                • memory/4240-1661-0x0000000007F80000-0x0000000008026000-memory.dmp

                  Filesize

                  664KB

                  Download

                • memory/4240-1662-0x0000000008190000-0x00000000081DC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/4240-1711-0x0000000006500000-0x0000000006554000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4264-26-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4264-28-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4264-24-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4264-29-0x0000000000C91000-0x0000000000CBF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4264-25-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4264-112-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4280-468-0x00000000004C0000-0x000000000090A000-memory.dmp

                  Filesize

                  4.3MB

                  Download

                • memory/4280-467-0x00000000004C0000-0x000000000090A000-memory.dmp

                  Filesize

                  4.3MB

                  Download

                • memory/4280-534-0x00000000004C0000-0x000000000090A000-memory.dmp

                  Filesize

                  4.3MB

                  Download

                • memory/4280-522-0x00000000004C0000-0x000000000090A000-memory.dmp

                  Filesize

                  4.3MB

                  Download

                • memory/4280-469-0x00000000004C0000-0x000000000090A000-memory.dmp

                  Filesize

                  4.3MB

                  Download

                • memory/4316-490-0x0000000000C10000-0x0000000000E71000-memory.dmp

                  Filesize

                  2.4MB

                  Download

                • memory/4316-486-0x0000000000C10000-0x0000000000E71000-memory.dmp

                  Filesize

                  2.4MB

                  Download

                • memory/4324-333-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4332-276-0x0000000006410000-0x000000000642E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/4332-426-0x0000000009E20000-0x0000000009E70000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/4332-308-0x0000000006D30000-0x0000000006D7C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/4332-363-0x00000000067F0000-0x0000000006856000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/4332-294-0x0000000006C90000-0x0000000006CA2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4332-274-0x0000000005C50000-0x0000000005CC6000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/4332-287-0x0000000006DA0000-0x00000000073B8000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/4332-441-0x000000000A880000-0x000000000ADAC000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/4332-435-0x000000000A180000-0x000000000A342000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/4332-235-0x0000000000400000-0x0000000000452000-memory.dmp

                  Filesize

                  328KB

                  Download

                • memory/4332-293-0x0000000008620000-0x000000000872A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4332-299-0x0000000006CF0000-0x0000000006D2C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4332-239-0x00000000050D0000-0x00000000050DA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4332-238-0x0000000005010000-0x00000000050A2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4420-113-0x0000000000620000-0x0000000000881000-memory.dmp

                  Filesize

                  2.4MB

                  Download

                • memory/4420-139-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                  Filesize

                  972KB

                  Download

                • memory/4420-334-0x0000000000620000-0x0000000000881000-memory.dmp

                  Filesize

                  2.4MB

                  Download

                • memory/4448-448-0x00000000007C0000-0x0000000000E6B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4448-444-0x00000000007C0000-0x0000000000E6B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4588-538-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4588-225-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4588-541-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4588-404-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4588-471-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4588-419-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4836-412-0x00000000004E0000-0x0000000000B8B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4836-354-0x00000000004E0000-0x0000000000B8B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4836-132-0x00000000004E0000-0x0000000000B8B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/5304-540-0x0000000000690000-0x0000000000CD7000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/5304-512-0x0000000069CC0000-0x000000006A37B000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/5396-525-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5396-536-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5396-524-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5396-526-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5432-1682-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/5432-1684-0x0000000073790000-0x00000000737DC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/5432-1706-0x00000000072F0000-0x00000000072F8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/5432-1704-0x0000000007210000-0x0000000007224000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/5432-1667-0x00000000026C0000-0x00000000026F6000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/5432-1668-0x0000000004DA0000-0x00000000053C8000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/5432-1669-0x0000000005510000-0x0000000005532000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/5432-1675-0x00000000055B0000-0x0000000005616000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/5432-1703-0x0000000007200000-0x000000000720E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5432-1680-0x0000000005830000-0x0000000005B84000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/5432-1681-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/5432-1705-0x0000000007310000-0x000000000732A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/5432-1683-0x0000000006270000-0x00000000062A2000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/5432-1701-0x00000000071D0000-0x00000000071E1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/5432-1694-0x0000000006E70000-0x0000000006E8E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/5432-1695-0x0000000006EA0000-0x0000000006F43000-memory.dmp

                  Filesize

                  652KB

                  Download

                • memory/5432-1697-0x0000000007610000-0x0000000007C8A000-memory.dmp

                  Filesize

                  6.5MB

                  Download

                • memory/5432-1698-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/5432-1699-0x0000000007040000-0x000000000704A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/5432-1700-0x0000000007250000-0x00000000072E6000-memory.dmp

                  Filesize

                  600KB

                  Download

                • memory/5776-544-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5776-552-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5776-545-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                  Download

                • memory/5824-1715-0x0000000000960000-0x00000000009BE000-memory.dmp

                  Filesize

                  376KB

                  Download

                • memory/6012-556-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/6012-561-0x0000000000390000-0x000000000083C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/6048-559-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/6048-558-0x0000000000C90000-0x0000000001150000-memory.dmp

                  Filesize

                  4.8MB

                  Download